NoAH: Network of Affine Honeypots

Computer networks have become vital infrastructure for virtually all
organizations. Unfortunately, they have also become both source and
victim of increasingly sophisticated attacks. `Worms' especially are
hard to fight, as they are autonomous, self-replicating programs that
may spread across the world in minutes (`flash worms'), leaving no
time for human administrators to respond in a timely fashion. Instead,
an Intrusion Detection System (IDS) is needed that is able to cope
with current and future worms.

The NoAH project will perform the technical preparatory work
towards the implementation of a European Infrastructure of Affine
Honeypots. The Infrastructure will consist of a Network of Honeypots
that will be able to collaborate towards studying, identifying, and
responding to cyberattacks, including both those attacks that were
previously encountered, as well as new types of attacks. This
infrastructure will provide a wealth of information about the way
cyberattackers operate within the European cyberspace. Such information
can be used by a wide variety of stakeholders including security
administrators, security researchers, Security Emergency Response
Teams, the European Network and Information Security Agency, National
CyberSecurity Agencies, and many more in order to be able to defend
the European Cyberspace in the most effective way.

The problem

Recently, we have been witnessing an increasing amount of cyberattacks
over the Internet. Viruses, Worms, Exploits, Trojan Horses, and
Denial-of-Service attacks continue to plague our networks and to
attack our systems at an alarming rate. For example, a couple of years
ago, most of the world were astonished to learn that more than 4,000
Denial-of-Service (DoS) attacks are being launched on the Internet
every week1. Besides DoS attacks, malicious self-replicating programs,
better known as worms, continue to plague our networks, to multiply
rapidly, and to have the ability to cause damage of unprecedented
magnitude. For example, in January 2003, the Sapphire Worm infected
more than 75,000 computers in less than 30 minutes. In addition to
worms, viruses continue to multiply and to gain access to our personal
life, passwords, and bank accounts. The BugBear-B virus for example,
during the summer of 2003 hit several computers on the Internet where
it installed a keyboard logger2 that was able to steal passwords and
gain access to secret information, including banking accounts and
personal email messages.

Fortunately, the computer and network security industry has
developed a number of products that can help us defend against
cyberattacks. Such products include firewalls, antivirus systems,
intrusion detection systems (IDSs), and intrusion prevention systems
(IPSs). Although these products can provide a decent level of
protection, their effectiveness is limited to identifying only known
forms of cyberattacks. For example, although an antivirus system can
identify all known forms of viruses, it is usually helpless when
confronted with a new type of virus. So far, new cyberattacks were
studied by security experts in security laboratories. After studying
each new cyberattack for several hours or even days, the security
experts provided updates to the antivirus and intrusion detection
systems, which from that point onwards are able to recognize and stop
the new form of the attack. However, new forms of cyberattacks, such
as the previously mentioned Sapphire worm, are able to propagate very
rapidly, leaving very little (if any) time for human
intervention. That is, it is not possible for humans to manually study
a worm such as Sapphire and update the antivirus and Intrusion
Detection Systems before the worm hits practically all computers on
the Globe. To prevent damage caused by new and rapidly spreading
cyberattacks, we need to develop new security systems that must be
able to recognize new types of cyberattacks quickly and automatically
without any human intervention.

The solution: a European Network of Affine Honeypots

In order to be able to capture and recognize new types of
cyberattacks, security experts have developed honeypots. A honeypot is
a computer system that does not serve any ordinary users and does not
provide any advertised service. Since it has no users, a honeypot
should neither receive nor generate any traffic under ordinary
conditions. If the honeypot receives or generates traffic, this is
probably because it has been attacked (or compromised). Effectively, a
honeypot is a decoy system that lures attackers into compromising
it. However, each attack against a honeypot is logged so that security
administrators will be able to study and analyze it. Once security
administrators analyze an attack they will be able to produce
immunization metrics against it. Over the last four years, security
experts have been using honeypots in order to study attackers by
capturing the development of their attack while this was being
planned, discussed, and deployed.

Although honeypots deliver information that is very accurate and
usually consists only of cyberattack-related activity, their major
disadvantage is that they have a very narrow field of view. That is,
they are able to provide information only about the attacks they
receive themselves. For example, if their neighbor computer is heavily
under attack, honeypots would not notice it, before they are being
attacked themselves. Thus, although honeypots have the potential to
identify cyberattacks, each one of them lacks the critical mass needed
to make fast and accurate decisions regarding recognition and spread
of new cyberattacks. For example, suppose that an organization deploys
a single honeypot, and that a new worm starts to spread. Then, it may
take a long time before the worm attacks the honeypot: on the average,
the worm will attack half the computers on the Internet before
attacking this particular honeypot. At that time, it would probably be
too late to take countermeasures against the worm: the worm would have
hit half of the organizations systems on the average. Fortunately, the
more honeypots an organization deploys, the faster it is before the
worm hits any of the honeypots. For example, if an organization
deploys k honeypots, then on the average, at least one of them will be
hit after about 1/k of the vulnerable machines on the Internet have
been infected. For example, if an organization deploys 1,000
honeypots, then approximately one of them will detect the new
cyberattack after about only 1 thousandth of the vulnerable machines
has been hit. However, deploying and managing such a large number of
honeypots may be very difficult for a single organization. Moreover,
the locality of IP addresses that these honeypots will share within a
single organization will probably make them less effective, since they
will cover a narrow local subset of the Internet.

In NoAH, we propose to study the feasibility and perform the necessary
technical preparatory work towards building an Infrastructure
consisting of a European Network of Affine honeypots. This will be a
network of honeypots that cooperate and exchange information in order
to effectively combat cyberattacks.